
server {
{% if spec.disable_https %}
    listen {{ spec.port or 80 }};
{% else %}
    listen                    {{ spec.port or 443 }} ssl;
    listen                    [::]:{{ spec.port or 443 }} ssl;
    ssl_certificate            /etc/nginx/ssl/nginx.crt;
    ssl_certificate_key /etc/nginx/ssl/nginx.key;
    {% if spec.ssl_protocols %}
    ssl_protocols            {{ spec.ssl_protocols | join(' ') }};
    {% else %}
    ssl_protocols            TLSv1.3;
    {% endif %}
    {% if spec.ssl_ciphers %}
    ssl_ciphers            {{ spec.ssl_ciphers | join(':') }};
    {% else %}
    # from:  https://ssl-config.mozilla.org/#server=nginx
    ssl_ciphers              ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
    {% endif %}

    # Only return Nginx in server header, no extra info will be provided
    server_tokens             {{ spec.server_tokens or 'off'}};

    # Perfect Forward Secrecy(PFS) is frequently compromised without this
    ssl_prefer_server_ciphers {{ spec.ssl_prefer_server_ciphers or 'on'}};

    # Enable SSL session caching for improved performance
    ssl_session_tickets       {{ spec.ssl_session_tickets or 'off'}};
    ssl_session_timeout       {{ spec.ssl_session_timeout or '1d'}};
    ssl_session_cache         {{ spec.ssl_session_cache or 'shared:SSL:10m'}};

    # OCSP stapling
    ssl_stapling              {{ spec.ssl_stapling or 'on'}};
    ssl_stapling_verify       {{ spec.ssl_stapling_verify or 'on'}};
    resolver_timeout 5s;

    # Security headers
    ## X-Content-Type-Options: avoid MIME type sniffing
    add_header X-Content-Type-Options nosniff;
    ## Strict Transport Security (HSTS): Yes
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
    ## Enables the Cross-site scripting (XSS) filter in browsers.
    add_header X-XSS-Protection "1; mode=block";
    ## Content-Security-Policy (CSP): FIXME
    # add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'none'; require-trusted-types-for 'script'; frame-ancestors 'self';";
{% endif %}

{% if oauth2_proxy_url %}
    location /oauth2/ {
        proxy_pass {{ oauth2_proxy_url }};
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        # Check for original-uri header
        proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
    }

    location = /oauth2/auth {
        internal;
        proxy_pass {{ oauth2_proxy_url }};
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        # nginx auth_request includes headers but not body
        proxy_set_header Content-Length "";
        proxy_pass_request_body off;
    }
{% endif %}

{% if dashboard_endpoints %}
    location / {
        proxy_pass {{ dashboard_scheme }}://dashboard_servers;
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
        {% if oauth2_proxy_url %}
        auth_request /oauth2/auth;
        error_page 401 = /oauth2/sign_in;

        auth_request_set $email $upstream_http_x_auth_request_email;
        proxy_set_header X-Email $email;

        auth_request_set $groups $upstream_http_x_auth_request_groups;
        proxy_set_header X-User-Groups $groups;

        auth_request_set $user $upstream_http_x_auth_request_user;
        proxy_set_header X-User $user;

        auth_request_set $token $upstream_http_x_auth_request_access_token;
        proxy_set_header X-Access-Token $token;

        auth_request_set $auth_cookie $upstream_http_set_cookie;
        add_header Set-Cookie $auth_cookie;

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $host:80;
        proxy_set_header X-Forwarded-Port 80;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-Groups $groups;

        proxy_http_version 1.1;

        proxy_set_header X-Forwarded-Proto "https";
        proxy_ssl_verify off;
        {% endif %}
    }
{% endif %}

{% if grafana_endpoints %}
    location /grafana {
        rewrite ^/grafana/(.*) /$1 break;
        proxy_pass {{ grafana_scheme }}://grafana_servers;
        # clear any Authorization header as Prometheus and Alertmanager are using basic-auth browser
        # will send this header if Grafana is running on the same node as one of those services
        proxy_set_header Authorization "";
        {% if oauth2_proxy_url %}
        auth_request /oauth2/auth;
        error_page 401 = /oauth2/sign_in;

        proxy_set_header X-Original-URI "/";

        auth_request_set $user $upstream_http_x_auth_request_user;
        auth_request_set $email $upstream_http_x_auth_request_email;
        proxy_set_header X-WEBAUTH-USER $user;
        proxy_set_header X-WEBAUTH-EMAIL $email;

        # Pass role header to Grafana
        proxy_set_header X-WEBAUTH-ROLE $http_x_auth_request_role;

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        auth_request_set $auth_cookie $upstream_http_set_cookie;
        add_header Set-Cookie $auth_cookie;

        proxy_set_header X-Forwarded-Proto $scheme;
        {% endif %}
    }
{% endif %}

{% if prometheus_endpoints %}
    location /prometheus {
        proxy_pass {{ prometheus_scheme }}://prometheus_servers;

        proxy_ssl_certificate /etc/nginx/ssl/nginx_internal.crt;
        proxy_ssl_certificate_key /etc/nginx/ssl/nginx_internal.key;
        proxy_ssl_trusted_certificate /etc/nginx/ssl/ca.crt;
        proxy_ssl_verify on;
        proxy_ssl_verify_depth 2;
        {% if oauth2_proxy_url %}
        auth_request /oauth2/auth;
        error_page 401 = /oauth2/sign_in;

        auth_request_set $user $upstream_http_x_auth_request_user;
        auth_request_set $email $upstream_http_x_auth_request_email;
        proxy_set_header X-User $user;
        proxy_set_header X-Email $email;

        auth_request_set $auth_cookie $upstream_http_set_cookie;
        add_header Set-Cookie $auth_cookie;
        {% endif %}
    }
{% endif %}

{% if alertmanager_endpoints %}
    location /alertmanager {
        proxy_pass {{ alertmanager_scheme }}://alertmanager_servers;

        proxy_ssl_certificate /etc/nginx/ssl/nginx_internal.crt;
        proxy_ssl_certificate_key /etc/nginx/ssl/nginx_internal.key;
        proxy_ssl_trusted_certificate /etc/nginx/ssl/ca.crt;
        proxy_ssl_verify on;
        proxy_ssl_verify_depth 2;
        {% if oauth2_proxy_url %}
        auth_request /oauth2/auth;
        error_page 401 = /oauth2/sign_in;

        auth_request_set $user $upstream_http_x_auth_request_user;
        auth_request_set $email $upstream_http_x_auth_request_email;
        proxy_set_header X-User $user;
        proxy_set_header X-Email $email;

        auth_request_set $auth_cookie $upstream_http_set_cookie;
        add_header Set-Cookie $auth_cookie;
        {% endif %}
    }
{% endif %}
}
